Sophos Research Uncovers Widespread Use of TLS By Cybercriminals

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-33561
PUBLISHED: 2021-05-24

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when informati…

CVE-2021-33562
PUBLISHED: 2021-05-24

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.

CVE-2021-33563
PUBLISHED: 2021-05-24

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

CVE-2021-30108
PUBLISHED: 2021-05-24

Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it.

CVE-2021-33525
PUBLISHED: 2021-05-24

EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.

Read More HERE

Leave a Reply